Vulnerabilities > CVE-2005-1985 - Buffer Overflow vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 5 |
Nessus
NASL family Windows NASL id SMB_KB899589.NASL description The remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker may exploit this flaw by connecting to the NetWare RPC service (possibly over IP) and triggering the overflow by sending a malformed RPC request. last seen 2020-06-01 modified 2020-06-02 plugin id 20006 published 2005-10-11 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20006 title MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20006); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2005-1985"); script_bugtraq_id(15066); script_xref(name:"MSFT", value:"MS05-046"); script_xref(name:"MSKB", value:"899589"); script_name(english:"MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) (uncredentialed check)"); script_summary(english:"Determines the presence of update 899589 (remote check)"); script_set_attribute(attribute:"synopsis", value: "A flaw in the client service for NetWare may allow an attacker to execute arbitrary code on the remote host."); script_set_attribute(attribute:"description", value: "The remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker may exploit this flaw by connecting to the NetWare RPC service (possibly over IP) and triggering the overflow by sending a malformed RPC request."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-046"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:netwareclnt"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl","smb_login.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(139,445); exit(0); } # include ('smb_func.inc'); global_var rpipe; function RPC_Request (pipe) { local_var fid, data, rep, ret; fid = bind_pipe (pipe:"\browser", uuid:"e67ab081-9844-3521-9d32-834f038001c0", vers:1); if (isnull (fid)) return 0; data = class_parameter (ref_id:0x20000, name:"tns1") + class_parameter (ref_id:0x20004, name:"tns2") + raw_dword (d:0); session_set_timeout (timeout:20); data = dce_rpc_pipe_request (fid:fid, code:0x2d, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 8)) return 0; ret = get_dword (blob:rep, pos:4); if ((ret == ERROR_INVALID_PARAMETER) || (ret == ERROR_ACCESS_DENIED)) return 0; return 1; } os = get_kb_item ("Host/OS/smb") ; if ("Windows" >!< os) exit(0); port = get_kb_item("SMB/transport"); if(!port)port = 445; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); name = kb_smb_name(); session_init(socket:soc, hostname:name); r = NetUseAdd(share:"IPC$"); if ( r == 1 ) { ret = RPC_Request(); if (ret == 1) security_hole(port:port); NetUseDel(); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-046.NASL description The remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker could exploit this flaw by connecting to the NetWare RPC service (possibly over IP) and trigger the overflow by sending a malformed RPC request. last seen 2020-06-01 modified 2020-06-02 plugin id 19999 published 2005-10-11 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19999 title MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589)
Oval
accepted 2011-05-16T04:00:19.694-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. family windows id oval:org.mitre.oval:def:1106 status accepted submitted 2005-10-12T12:00:00.000-04:00 title CSNW Remote Buffer Overflow via Network Messages (WinXP,SP1) version 68 accepted 2011-05-16T04:00:33.573-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description ute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. family windows id oval:org.mitre.oval:def:1210 status accepted submitted 2005-10-12T12:00:00.000-04:00 title CSNW Remote Buffer Overflow via Network Messages (WinXP,SP2) version 69 accepted 2011-05-16T04:01:15.712-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name John Hoyland organization Centennial Software name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. family windows id oval:org.mitre.oval:def:1536 status accepted submitted 2005-10-12T12:00:00.000-04:00 title CSNW Remote Buffer Overflow via Network Messages (Win2k,SP4) version 68 accepted 2011-05-16T04:01:17.285-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. family windows id oval:org.mitre.oval:def:1544 status accepted submitted 2005-10-12T12:00:00.000-04:00 title CSNW Remote Buffer Overflow via Network Messages (Server 2003) version 68 accepted 2011-05-16T04:03:35.840-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. family windows id oval:org.mitre.oval:def:910 status accepted submitted 2005-10-12T12:00:00.000-04:00 title CSNW Remote Buffer Overflow via Network Messages (Server 2003,SP1) version 68
References
- http://secunia.com/advisories/17165
- http://securitytracker.com/id?1015041
- http://www.osvdb.org/19922
- http://www.securityfocus.com/bid/15066
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-046
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21700
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1106
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1210
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1536
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1544
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A910